marcio.fernandes/nextcloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

storage normalization, security middlewares
All checks were successful
/ continuous-deploy (push) Successful in 23s
Details

Browse Source
This commit is contained in:
Márcio Fernandes
2026-04-08 12:19:43 +00:00
parent 784fe2600f
commit 374f369ea2
6 changed files with 134 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.vscode/settings.json vendored Normal file
View File

@@ -0,0 +1,5 @@
{
"cSpell.words": [
"authentik"
]
}

24
README.md
View File

@@ -12,6 +12,8 @@ Using [NextCloud](https://nextcloud.com/)
- [preview generator](#preview-generator)
- [repair tree](#repair-tree)
- [Repair AppData Cache (Fix App Store 500 Error)](#repair-appdata-cache-fix-app-store-500-error)
- [force create indexes](#force-create-indexes)
- [Mimetype migrations available](#mimetype-migrations-available)
- [delete file locks](#delete-file-locks)
- [Setup and Deploy](#setup-and-deploy)
- [App](#app)
@@ -73,7 +75,7 @@ This procedure clears the broken cache and forces Nextcloud to rebuild it.
```bash
# Enable maintenance mode
sudo -u www-data php occ maintenance:mode --on
su -s /bin/bash www-data -c "php occ maintenance:mode --on;"
# Remove stale filecache entries (run inside MariaDB)
mariadb -u root -p nextcloud -e "DELETE FROM oc_filecache WHERE path LIKE 'appdata_ocuihfjhxkga/appstore%';"
@@ -82,10 +84,26 @@ mariadb -u root -p nextcloud -e "DELETE FROM oc_filecache WHERE path LIKE 'appda
rm -rf /var/www/html/data/appdata_*
# Disable maintenance mode
sudo -u www-data php occ maintenance:mode --off
su -s /bin/bash www-data -c "php occ maintenance:mode --off"
# Rebuild appdata and caches
sudo -u www-data php occ maintenance:repair
su -s /bin/bash www-data -c "php occ maintenance:repair"
```
### force create indexes
```bash
# Rebuild appdata and caches
su -s /bin/bash www-data -c "php occ db:add-missing-indices"
```
### Mimetype migrations available
```bash
# Rebuild appdata and caches
su -s /bin/bash www-data -c "php occ maintenance:repair --include-expensive"
```
### delete file locks

17
deploy/app/helm-values.yaml
View File

@@ -118,25 +118,26 @@ nextcloud:
extraVolumeMounts:
- name: mf-nextcloud
mountPath: /var/www/html/data/marcio.fernandes/files
mountPath: /mnt/users/marcio.fernandes
- name: mf-documents
mountPath: /var/www/html/data/marcio.fernandes/files/Documents
mountPath: /mnt/users/marcio.fernandes/Documents
- name: mf-photos
mountPath: /var/www/html/data/marcio.fernandes/files/Photos
mountPath: /mnt/users/marcio.fernandes/Photos
- name: media-gaming
mountPath: /var/www/html/data/marcio.fernandes/files/Gaming
mountPath: /mnt/shared/Gaming
- name: media-music
mountPath: /var/www/html/data/marcio.fernandes/files/Music
mountPath: /mnt/shared/Music
- name: media-videos
mountPath: /var/www/html/data/marcio.fernandes/files/Videos
mountPath: /mnt/shared/Videos
- name: it-storage
mountPath: /var/www/html/data/marcio.fernandes/files/NeirdStorage
mountPath: /mnt/shared/NerdStuff
configs:
# appstore.override.config.php: |-
# <?php

76
deploy/infra/ingress.yaml
View File

@@ -1,26 +1,64 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: cloud-limbosolutions-com
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure, public-https
spec:
ingressClassName: traefik
rules:
- host: cloud.limbosolutions.com
http:
paths:
- backend:
service:
name: nextcloud
port:
number: 8080
path: /
pathType: Prefix
spec:
entryPoints:
- websecure
tls:
- secretName: cloud-limbosolutions-com-secret-tls
hosts:
- cloud.limbosolutions.com
secretName: cloud-limbosolutions-com-tls
domains:
- main: cloud.limbosolutions.com
routes:
# AUTHENTIK OUTPOST
- match: Host(`cloud.limbosolutions.com`) && PathPrefix(`/outpost.goauthentik.io`)
kind: Rule
services:
- name: ak-outpost-authentik-embedded-outpost
namespace: id-limbosolutions-com
port: 9000
# 1) PUBLIC SHARES (NO SSO)
- match: Host(`cloud.limbosolutions.com`) && (PathPrefix(`/s/`) || PathPrefix(`/index.php/s/`) || PathPrefix(`/public.php/`) || PathPrefix(`/remote.php/dav/public-files/`))
kind: Rule
services:
- name: nextcloud
port: 8080
middlewares:
- name: rate-limit
- name: security-headers
# 2) WEBDAV / SYNC CLIENTS (NO SSO)
- match: Host(`cloud.limbosolutions.com`) && (PathPrefix(`/remote.php/dav`) || PathPrefix(`/remote.php/webdav`) || PathPrefix(`/remote.php/caldav`) || PathPrefix(`/remote.php/carddav`))
kind: Rule
services:
- name: nextcloud
port: 8080
middlewares:
- name: webdav-strip-auth
- name: rate-limit
# 3) EVERYTHING ELSE (SSO REQUIRED)
- match: Host(`cloud.limbosolutions.com`)
kind: Rule
services:
- name: nextcloud
port: 8080
middlewares:
# middleware managed by icarus
- name: authentik-forward-auth
namespace: kube-system
- name: security-headers
- name: rate-limit

1
deploy/infra/kustomization.yaml
View File

@@ -3,6 +3,7 @@ kind: Kustomization
resources:
- namespace.yaml
- cd-serviceaccount.yaml
- middlewares.yaml
- ingress.yaml
- storage-limbosolutions-com/pv.yaml
generatorOptions:

41
deploy/infra/middlewares.yaml Normal file
View File

@@ -0,0 +1,41 @@
# Strip Authorization header for WebDAV so Authentik doesn't try to interpret Basic Auth
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: webdav-strip-auth
spec:
headers:
customRequestHeaders:
Authorization: ""
---
# Rate limit to protect from brute force / bots
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: rate-limit
spec:
rateLimit:
average: 50
burst: 100
---
# Optional: security headers for UI
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: security-headers
spec:
headers:
stsSeconds: 31536000
stsIncludeSubdomains: true
stsPreload: true
browserXssFilter: true
contentTypeNosniff: true
frameDeny: true
referrerPolicy: "no-referrer"
customResponseHeaders:
X-Content-Type-Options: "nosniff"
X-Frame-Options: "DENY"
X-XSS-Protection: "1; mode=block"